Regulation of Medicine

article

Law Enforcement Exception to HIPAA: What Providers Need to Know

Executive Summary 

A law enforcement official may request the medical records of a certain patient. Thus, it is important that healthcare organizations understand how to appropriately respond to such a request and avoid HIPAA breaches and associated fines.  

Recommended Actions  

Conduct annual HIPAA training for all staff members that includes information regarding HIPAA Privacy Rule exceptions. 

Ensure that your organization has a process for flagging and handling medical record requests from law enforcement and that everyone in the office receives training about that process. 

Implement a checklist to use whenever your practice gets a medical record request from law enforcement to ensure that staff members respond to such requests in a consistent manner. 

Healthcare providers may receive a verbal or written request for protected health information (PHI) or copies of medical records from law enforcement officials as part of their investigation process. For example, law enforcement may need to follow up on suspected child abuse or investigate an altercation that resulted in a crime. 

The HIPAA Privacy Rule contains an exception for law enforcement purposes1 that permits a covered entity to disclose PHI to law enforcement officials without patient authorization under the following circumstances: 

  • If there is a court order, court-ordered warrant, subpoena or administrative request 
  • To identify or locate a suspect, fugitive, material witness or missing person  
  • To answer a law enforcement official’s request for information about a victim or suspected victim of a crime  
  • To alert law enforcement of a person’s death if the organization suspects that criminal activity caused the death  
  • When an organization believes that PHI is evidence of a crime that occurred on its premises 
  • In a medical emergency not occurring on its premises, when it’s necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims and the perpetrator of the crime 

For purposes of this exception, “law enforcement official” is defined broadly and means an officer or employee (state or federal) who investigates or conducts an official inquiry into a potential violation of law or prosecutes or otherwise conducts a criminal, civil or administrative proceeding arising from an alleged violation of law. Some examples of law enforcement officials include officers, investigators and detectives from a sheriff’s office, the FBI and state agencies. 

If a law enforcement official sends a letter requesting records, the letter will likely tell you where to send the requested records in addition to providing the law enforcement official’s contact information. Many times, the cover letter or request will not have a “cc” line copying the other party because the investigation is sensitive or confidential. 

Law enforcement officials may also verbally request PHI or copies of medical records from your organization either over the phone or in person. If a law enforcement official comes to your organization’s office in uniform and provides proper identification (business card or law enforcement ID or badge), then it is appropriate to produce the PHI. 

If the request comes via phone call, you are required to receive further verification before releasing PHI. You should ask the caller to provide a formal request in writing with a citation to the requestor’s source of statutory authority under state or federal law. The writing can be on an official letterhead or by email if the message includes the necessary citations to authority and is sent from the official’s work email address.  

You generally do not have to obtain an individual’s written authorization before disclosing his or her PHI if you receive a written or adequate verbal request from a law enforcement official. However, there is a limited exception if the law enforcement official is requesting the PHI of an adult patient who is a victim of abuse. In this situation, you usually must obtain authorization from the adult before disclosing anything to the official.  

Accordingly, a healthcare organization that receives a request for PHI from a law enforcement official for law enforcement purposes should feel comfortable complying with the request and recognize that producing the records to law enforcement is low risk. 

Recommended Resources 

HHS – FAQ: When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials? 

HHS – FAQs on Disclosure for Law Enforcement Purposes 

HHS – Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule: A Guide for Law Enforcement 

Lessons Learned  

If your healthcare practice is unsure about a certain written request, contact the law enforcement office and clarify that the office made the request and the reason for it. 

Ensure that you’re sharing only the patient records requested and nothing more.  

When transmitting the medical records, ensure that your office delivers them in a HIPAA-complaint manner. 

Potential Damages 

If a healthcare organization inappropriately discloses PHI, they could face a HIPAA violation and the associated fines and financial penalties. However, the frequency of such a violation for a wrongful release of PHI by a policyholder to a law enforcement official is very low. Thus, law enforcement requests are generally considered low risk.  

Quiz 

Answers are provided below. True or false?  

Question 1: If a law enforcement agent requests medical records via phone call, a provider should ask that the caller provide a formal request in writing before releasing any PHI.  

Question 2: The HIPAA Privacy Rule contains an exception permitting a covered entity to disclose PHI to law enforcement officials without patient authorization if there is a court order or a court-ordered warrant. 

Question 3: When complying with a law enforcement agent’s request for the PHI of an adult patient who is the victim of abuse, a provider should obtain the specified patient’s written authorization before disclosing their PHI. 

Answers 

Question 1: True. If a request comes via phone call, you are required to receive further verification before releasing PHI. You should ask the caller to provide a formal request in writing with a citation to the requestor’s source of statutory authority under state or federal law. The writing can be on an official letterhead or by email if the message includes the necessary citations to authority and is sent from the official’s work email address. 

Question 2: True. The HIPAA Privacy Rule contains an exception permitting a covered entity to disclose PHI to law enforcement officials without patient authorization if there is a court order, court-ordered warrant, subpoena or an administrative request. 

Question 3: True. You generally must obtain authorization from an adult patient who is the victim of abuse before disclosing their PHI if you receive a written or adequate verbal request from a law enforcement official.  

    11/22

    Want to learn more?

    Interested in how MagMutual can help?

    View our products

    Disclaimer

    The information provided in this resource does not constitute legal, medical or any other professional advice, nor does it establish a standard of care. This resource has been created as an aid to you in your practice. The ultimate decision on how to use the information provided rests solely with you, the PolicyOwner.